Title: [218828] trunk
- Revision
- 218828
- Author
- sbar...@apple.com
- Date
- 2017-06-26 22:49:43 -0700 (Mon, 26 Jun 2017)
Log Message
RegExpPrototype.js builtin uses for-of iteration which is almost certainly incorrect
https://bugs.webkit.org/show_bug.cgi?id=173740
Reviewed by Mark Lam.
JSTests:
* stress/regexp-prototype-replace-builtin-should-not-use-for-of.js: Added.
(Array.prototype.Symbol.iterator):
Source/_javascript_Core:
The builtin was using for-of iteration to iterate over an internal
list in its algorithm. For-of iteration is observable via user code
in the global object, so this approach was wrong as it would break if
a user changed the Array iteration protocol in some way.
* builtins/RegExpPrototype.js:
(replace):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (218827 => 218828)
--- trunk/JSTests/ChangeLog 2017-06-27 03:33:12 UTC (rev 218827)
+++ trunk/JSTests/ChangeLog 2017-06-27 05:49:43 UTC (rev 218828)
@@ -1,5 +1,15 @@
2017-06-26 Saam Barati <sbar...@apple.com>
+ RegExpPrototype.js builtin uses for-of iteration which is almost certainly incorrect
+ https://bugs.webkit.org/show_bug.cgi?id=173740
+
+ Reviewed by Mark Lam.
+
+ * stress/regexp-prototype-replace-builtin-should-not-use-for-of.js: Added.
+ (Array.prototype.Symbol.iterator):
+
+2017-06-26 Saam Barati <sbar...@apple.com>
+
Skip a test on 32-bit platforms since we run out of address space.
Rubber stamped by Mark Lam.
Added: trunk/JSTests/stress/regexp-prototype-replace-builtin-should-not-use-for-of.js (0 => 218828)
--- trunk/JSTests/stress/regexp-prototype-replace-builtin-should-not-use-for-of.js (rev 0)
+++ trunk/JSTests/stress/regexp-prototype-replace-builtin-should-not-use-for-of.js 2017-06-27 05:49:43 UTC (rev 218828)
@@ -0,0 +1,6 @@
+Array.prototype[Symbol.iterator] = function() {
+ throw new Error("Bad, this should not be called!");
+}
+
+let regexp = /(foo)/;
+regexp[Symbol.replace]("foo", "bar");
Modified: trunk/Source/_javascript_Core/ChangeLog (218827 => 218828)
--- trunk/Source/_javascript_Core/ChangeLog 2017-06-27 03:33:12 UTC (rev 218827)
+++ trunk/Source/_javascript_Core/ChangeLog 2017-06-27 05:49:43 UTC (rev 218828)
@@ -1,3 +1,18 @@
+2017-06-26 Saam Barati <sbar...@apple.com>
+
+ RegExpPrototype.js builtin uses for-of iteration which is almost certainly incorrect
+ https://bugs.webkit.org/show_bug.cgi?id=173740
+
+ Reviewed by Mark Lam.
+
+ The builtin was using for-of iteration to iterate over an internal
+ list in its algorithm. For-of iteration is observable via user code
+ in the global object, so this approach was wrong as it would break if
+ a user changed the Array iteration protocol in some way.
+
+ * builtins/RegExpPrototype.js:
+ (replace):
+
2017-06-26 Mark Lam <mark....@apple.com>
Renamed DumpRegisterFunctor to DumpReturnVirtualPCFunctor.
Modified: trunk/Source/_javascript_Core/builtins/RegExpPrototype.js (218827 => 218828)
--- trunk/Source/_javascript_Core/builtins/RegExpPrototype.js 2017-06-27 03:33:12 UTC (rev 218827)
+++ trunk/Source/_javascript_Core/builtins/RegExpPrototype.js 2017-06-27 05:49:43 UTC (rev 218828)
@@ -252,7 +252,8 @@
let nextSourcePosition = 0;
let lastPosition = 0;
- for (result of resultList) {
+ for (let i = 0, resultListLength = resultList.length; i < resultListLength; ++i) {
+ let result = resultList[i];
let nCaptures = result.length - 1;
if (nCaptures < 0)
nCaptures = 0;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
